ADDITIONAL PAGES

Assistive technology with inadequate security such as voice control interfaces can provide malware loop holes to circumvent security protocols

Source: oneclickroot.com

Assistive technology makes device usage more
convenient for users, especially those with disabilities. However, these features have inadequate
security because their implementation involves “inevitable trade-offs among
compatibility, usability, security, and cost.” These trade-offs leave the security system vulnerable
to attacks that wish to gain access to and misuse assistive technologies. Researchers identified and demonstrated twelve different attacks that bypass the
state-of-the-art security used by the four most popular computing platforms:
Ubuntu Linux, iOS, Android, and Microsoft Windows.

Source: A11y Attacks: Exploiting Accessibility in Operating Systems

One of these demonstrations showed how a hacker can
bypass the Android platform’s Touchless Control’s voice authentication. From the moment the user registers their voice with
the Touchless Control app on the first boot-up, the app continuously monitors
the microphone for the authentication phrase “OK Google Now.” After hearing the
phrase, the app checks if the voice signature matches the users registered signature. This system leaves the app vulnerable to replay
attacks. Since the user repeats the phrase multiple times, the hacker creates
malware that can record the user saying the phrase and then replays this
recording through the device’s own speaker. After gaining access, the user can use the default
text-to-speech library form Google Now to issue a variety of commands. The discovery of these security lapses is a major signal to OS vendors that they need to start implementing stronger security to protect users. Citation: Jang, Yeongjin, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. "A11y Attacks: Exploiting Accessibility in Operating Systems." CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014): 103-15. Web. 23 Oct. 2015.